Keystore 2.0: sepolicy changes for vold to use keystore2
Vold needs to be able to search for keystore2 and keystore2 maintenance services, and call methods provided by those services. Bug: 181910578 Change-Id: I6e336c3bfaabe158b850dc175b6c9a942dd717be
This commit is contained in:
parent
794b7d83ec
commit
a999004528
@ -24,3 +24,8 @@ unix_socket_send(keystore, statsdw, statsd)
|
||||
allow keystore keystore2_key_contexts_file:file r_file_perms;
|
||||
|
||||
get_prop(keystore, keystore_listen_prop)
|
||||
|
||||
# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
|
||||
# can call keystore methods on those references.
|
||||
allow keystore vold:binder transfer;
|
||||
allow keystore wait_for_keymaster:binder transfer;
|
||||
|
@ -45,7 +45,11 @@ allow vold vold_key:keystore2_key {
|
||||
use
|
||||
};
|
||||
|
||||
# vold needs to call keystore methods
|
||||
allow vold keystore:binder call;
|
||||
|
||||
# vold needs to find keystore2 services
|
||||
allow vold keystore_service:service_manager find;
|
||||
allow vold keystore_maintenance_service:service_manager find;
|
||||
|
||||
# vold needs to be able to call earlyBootEnded()
|
||||
|
@ -7,3 +7,9 @@ init_daemon_domain(wait_for_keymaster)
|
||||
hal_client_domain(wait_for_keymaster, hal_keymaster)
|
||||
|
||||
allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
|
||||
|
||||
# wait_for_keymaster needs to find keystore and call methods with the returned
|
||||
# binder reference.
|
||||
allow wait_for_keymaster servicemanager:binder call;
|
||||
allow wait_for_keymaster keystore_service:service_manager find;
|
||||
allow wait_for_keymaster keystore:binder call;
|
||||
|
@ -351,6 +351,7 @@ neverallow vold {
|
||||
-healthd
|
||||
-hwservicemanager
|
||||
-iorapd_service
|
||||
-keystore
|
||||
-servicemanager
|
||||
-system_server
|
||||
userdebug_or_eng(`-su')
|
||||
|
Loading…
Reference in New Issue
Block a user